SMARTCAT SECURITY AND COMPLIANCE
Objective
This information security program (the “Security Program”) relates to how Smartcat protects the information received through Smartcat’s website, services, and technology platform located at https://www.smartcat.com/ (the “Smartcat Platform”). The information you provide Smartcat is protected as our security system meets industry standards and compliance. The Security Program applies to both the physical and the IT-systems security of the Smartcat application and infrastructure.
Smartcat Staff and Management
Smartcat's dedicated employees and contractors make every effort to ensure the securement of information, electronic devices, and network resources.
Smartcat’s Policies
To secure information, Smartcat adheres to standard policies for IT companies, including but not limited to “Information Security Policy”, “Incident Response Plan”, “Cryptography Policy”, and “Secure Development Policy”. Smartcat reviews these policies at least annually.
Security Certifications
Smartcat uses Tier IV data centers in the U.S., EU, and China, run by AWS and Microsoft Azure, which are SOC-1, SOC-2, and SOC-3 compliant.
Smartcat passed an independent third-party audit and received a SOC 2 Type II security certificate.
Smartcat uses a third-party payment provider that is PCI DSS Level 1 compliant, which is the highest level of certification within the Payment Card Industry Data Security Standard.
Secure cloud storage
By accommodating your data in the cloud, you can be sure of its safety. Intruders wouldn’t be able to access it in the case that your computer is stolen or exposed to a virus. Even if your computer is broken, all of your data will be safe and available for you.
Information Security Awareness, Education & Training
All Smartcat employees and third-parties with administrative or privileged technical access to Smartcat production systems and networks have to complete security awareness training at the time of hire and annually thereafter. Employees and contractors are aware of the relevant information security policies and procedures.
Security Incident Response
The Smartcat Incident Response plan outlines the internal procedures to be implemented in the event of possible or actual unauthorized access to Smartcat or customer data. Following SOC 2 requirements, the Incident response plan is reviewed and tested on an annual basis.
In the event of a threat to business continuity, Smartcat can recover data with minimal losses in accordance with the following indicators:
Restore Point Objective of no more than 24 hours
Restore Time Objective of no more than 24 hours
Log Analysis
Smartcat stores system and application logs as well as user activity, which are maintained for a period of up to 1 year.
Penetration Testing
Smartcat carries out regular penetration tests which are available to customers or other interested parties upon request and subject to an additional non-disclosure agreement with Smartcat.
Partners and Providers
To enhance Smartcat Platform services and functions, Smartcat uses third-party subcontractors (partners and providers), who have executed a service agreement with confidentiality clauses or a separate non-disclosure agreement with Smartcat.
Privacy
Smartcat privacy activities are based on the applicable laws where the Smartcat Platform operates around the world, that govern the protection of personal data, including but not limited to GDPR. The privacy of your data is guaranteed by the Smartcat Terms of Service (https://www.smartcat.com/terms/) and the Smartcat Privacy Policy (https://www.smartcat.com/privacy-policy/).
Access Control
A limited number of Smartcat employees and contractors who have access to personal data and information are thoroughly checked by our security team and can only use your personal data as part of their work. In addition, access is limited by authorization procedures and infrastructure, which means employees with insufficient rights cannot access personal data.
Smartcat employees and contractors must have a valid ID, username, and password to access the corporate networks. In addition, VPN and Multi-Factor Authentication are required to access critical business systems.
All accounts in the system are isolated, so users of one account cannot access the information in another. This means that all linguistic resources are only available to you and the users that you authorize.
For Corporate customers, we can configure the ability to manage users via the company's Single Sign-On (SSO) provider. Smartcat currently supports three major authentication systems: ADFS, Azure AD, and Okta. For details, please refer to this article.
Physical Security
Physical security measures for Smartcat offices, facilities, paper records, and corporate IT-systems are applied to protect from theft, misuse, environmental threats, unauthorized access, and other threats to the confidentiality, integrity, and availability of classified data and systems. The physical control measures are as follows:
2 checkpoints;
Badge Access;
CCTV;
24x7 security.
Business Continuity, Disaster Recovery, Backup
In the event of a major disruption affecting the availability and/or security of the Smartcat office, staff and management will determine and apply mitigating actions.
Security measures to protect backups are applied in accordance with the confidentiality or sensitivity of the data. Backup copies of information, software, and system images are taken regularly to protect against loss of data.
Backups to our servers and data centers are configured to run daily on in-scope systems. The backup schedules are maintained within the backup application software.
A disaster recovery test, including a test of backup restoration processes, is performed on an annual basis.
Continuity of information security is ensured along with operational continuity.
Cryptography
To ensure proper and effective use of cryptography to protect the confidentiality, authenticity, and/or integrity of information, Smartcat uses cryptographic keys, i.e. digital signature, encryption, and hash.
Information is encrypted as follows:
The Platform uses an HTTPS/TLS protocol to protect data in transit between the User’s computer and Smartcat servers;
For the web certificate, Smartcat uses a digital signature key type, DSA or RSA PCKS#1 algorithm, 2048 bit key length;
For the web cipher, Smartcat uses encryption key type, AES algorithm, 256 bit key length;
For confidentiality, Smartcat uses encryption key type, AES algorithm, 256 bit key length;
All passwords are stored in hashed and salted form (Bcrypt, PBKDF2, or scrypt, ECDH key type; at least 256 bit key length), and several external authorized services are supported via OAuth 2.0. All passwords in the production configuration files are encrypted and the certificates required to decrypt configs are installed on the production machines by administrators, which cannot be accessed by lower-level engineers.
Change Management
Smartcat controls changes to the organization, business processes, information processing facilities, and systems that affect information security in the production environment and financial systems. All significant changes to in-scope systems are documented.
Change management processes include:
Processes for planning and testing of changes, including remediation measures.
Documented managerial approval and authorization before proceeding with changes that may have a significant impact on information security, operations, or the production platform.
Advance notice of changes, including schedules and a description of reasonably anticipated effects.
Documentation of all emergency changes and subsequent reviews.
A process for remediating unsuccessful changes.
Secure Development
To ensure that information security is designed and implemented within the development lifecycle of applications and information systems, Smartcat continuously implements system change control procedures, software version controls, technical reviews of applications after making platform changes, restrictions on changes to software packages, secure system engineering principles, secure development environments, outsourced development, system security testing, system acceptance testing, and protection of test data.